Certificate based authentication is not working with Microsoft O365
Article ID: 281763
Updated On: 04-08-2024
Products
Data Loss Prevention Core Package
Issue/Introduction
You are trying to implement certificate-based authentication between O365 and DLP.
Cause
Client Authentication for On-Prem Network Prevent For Email is currently not supported.
In logs you might see the error "5.7.64 TenantAttribution; Relay Access Denied [ValidationStatus of '' is EmptyCertificate"
Resolution
- According to Microsoft's SMTP requirements page, IP Authentication is still supported:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/Using-cloud-services-to-prevent-data-loss/Configuring-Microsoft-365-to-use-Microsoft-365-for-email-delivery-using-Reflecting-mode.html
"The sending host’s IP address or certificate domain on the SMTP connection matches your organization’s Inbound Connector of OnPremises type." - If Microsoft requires Client Auth in the future, then Cloud Detection Server (CDS) is our documented solution https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/Using-cloud-services-to-prevent-data-loss/Configuring-Microsoft-365-to-use-Microsoft-365-for-email-delivery-using-Reflecting-mode.html
- An alternative suggestion would be to introduce an edge MTA after DLP NPE and before Exchange Online.
- Customers may also raise an enhancement request to support Client Authentication in On-Prem NPE.
Feedback
Yes
No
Powered by
